[Mesa-dev] [PATCH] vl: Fix off-by-one error in device_name_length allocation.

Christian König deathsimple at vodafone.de
Fri Feb 22 01:58:36 PST 2013


Am 22.02.2013 07:44, schrieb Vinson Lee:
> Fixes out-of-bounds write reported by Coverity.
>
> Signed-off-by: Vinson Lee <vlee at freedesktop.org>

Reviewed-by: Christian König <christian.koenig at amd.com>

> ---
>   src/gallium/auxiliary/vl/vl_winsys_dri.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/gallium/auxiliary/vl/vl_winsys_dri.c b/src/gallium/auxiliary/vl/vl_winsys_dri.c
> index 560c914..59c02bc 100644
> --- a/src/gallium/auxiliary/vl/vl_winsys_dri.c
> +++ b/src/gallium/auxiliary/vl/vl_winsys_dri.c
> @@ -338,7 +338,7 @@ vl_screen_create(Display *display, int screen)
>         goto free_screen;
>   
>      device_name_length = xcb_dri2_connect_device_name_length(connect);
> -   device_name = CALLOC(1, device_name_length);
> +   device_name = CALLOC(1, device_name_length + 1);
>      memcpy(device_name, xcb_dri2_connect_device_name(connect), device_name_length);
>      device_name[device_name_length] = 0;
>      fd = open(device_name, O_RDWR);



More information about the mesa-dev mailing list